[Pki-users] Questions on customizing certificate profiles

Chandrasekar Kannan ckannan at redhat.com
Thu Apr 8 23:42:21 UTC 2010 

On 04/08/2010 04:33 PM, Arshad Noor wrote:
> I will give this a shot, Kevin - although I wonder how much
> time it will take to get the Build environment right to get
> through all the compiles vs. doing a "renewal" of the certs.
>
> However, to follow up on the other issue - the documentation
> on RHBA-2009-1602 suggests that only the SHA-2 algorithm issue
> can be fixed.  Am I still stuck with the renewal method to get
> the other certificate extensions fixed - the keyUsages, AIA,
> OCSPNoCheck, etc?

I don't think so. You should be able to get those customized
by editing those profile config files in question before going
through the wizard. Sha-2 was a bit hard-coded IIRC , hence it
required code changes.

>
> Arshad Noor
> StrongAuth, Inc.
>
> Kevin Unthank wrote:
>> Hi Arshad,
>>
>> We most certainly have not forgotten our open-source roots.
>>
>> In response to customer demand for this SHA2 functionality, Red Hat
>> engineers implemented it and released it as an enhancement  errata
>> for RHCS8. At the very same time, the source code for that
>> enhancement was made available, freely, to everyone in the dogtag
>> community.
>>
>> You can checkout that codewith SVN
>> svn co 
>> https://pki.fedoraproject.org/svn/pki/branches/PKI_8_0_ERRATA_BRANCH
>> Merge it with the dogtag source and compile your own dogtag
>> packages with the desired functionality.
>>
>> As I stated in my earlier response we absolutely intend to
>> take the code from the open-source CS8 branch, and add it to the
>> open-source dogtag tip but that work has not been scheduled yet.
>> I will see if I can get the priority bumped up.
>>
>> I strongly encourage you to create your own dogtag build
>> environment so you can get access to the latest code checkins.
>> There are instructions for doing this on the dogtag wiki and
>> I know some of the community members have already done this.
>>
>> There is no manipulation of the trust and goodwill of the
>> open-source community going on here.
>>
>> Cheers,
>> Kev
>>
>> On 04/08/2010 03:25 PM, Arshad Noor wrote:
>>> I am sorry to read this, Kevin.  It suggests that RedHat has
>>> forgotten its open-source roots and what made it a billion
>>> dollar company in the first place.
>>>
>>> We are all familiar with the **** that companies put up with
>>> when buying some commercial products. Open-source was meant
>>> to be an answer to that problem - that quality could be vastly
>>> improved in software when there were many eyes looking at the
>>> source - not because some people just like the idea of seeing
>>> the source-code of the products they use.
>>>
>>> That RedHat was making money on services off of open-source
>>> products was perfectly acceptable - there is real value in
>>> services. But, when the open-source company starts
>>> differentiating its open-source products from its commercial
>>> products, it subverts the whole notion of open-source and what
>>> it stands for.
>>>
>>> If the fix did not exist and it was up to the open-source
>>> community to prioritize the fix, that's one thing. But when
>>> the fix *does* exist, and has been merged into the commercial
>>> branch, but is not merged into the open-source branch - that
>>> suggests deliberate manipulation of the trust and goodwill of
>>> the open-source community.
>>>
>>> Arshad Noor
>>> StrongAuth, Inc.
>>>
>>>
>>> Kevin Unthank wrote:
>>>> Hi Arshad,
>>>>
>>>> Obviously, there are differences between RHCS8 and the latest release
>>>> of Dogtag. Generally, new feature development takes place in dogtag
>>>> and some of those features find there way back into RHCS8. Bug fixing
>>>> often occurs first in RHCS8 and those fixes are ported to dogtag.
>>>>
>>>> PKI with only SHA-2 hashes is a fix that was made in the RHCS8
>>>> code tree and released in both source binary form in errata
>>>> RHBA-2009-1602. That fix will make it into dogtag builds but I can't
>>>> commit to a specific release or date when this will happen.
>>>>
>>>> Until then it should be possible to work around the problem by using
>>>> pkisilent or the renewal method suggested by Andrew.
>>>>
>>>> Cheers,
>>>> Kev
>>>>
>>>> On 04/08/2010 10:55 AM, Arshad Noor wrote:
>>>>> Can someone from the DogTag Engineering team confirm that a PKI
>>>>> with only SHA-2 hashes *cannot* be built with the current version
>>>>> of the product?
>>>>>
>>>>> I find this hard to believe given that the RHCS documentation seems
>>>>> to indicate that it is possible to do so, and given that the
>>>>> underlying code already has SHA-2 support; nevertheless, can someone
>>>>> confirm Oliver's finding? Thanks.
>>>>>
>>>>> Arshad Noor
>>>>> StrongAuth, Inc.
>>>>>
>>>>> P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes
>>>>> can be configured at the time the self-signed cert is created, does
>>>>> that imply that the commercial RHCS is technologically different from
>>>>> the open-source DogTag? And, that it isn't just a question of RedHat
>>>>> support?
>>>>>
>>>>>
>>>>> Oliver Burtchen wrote:
>>>>>> Hi @ all,
>>>>>>
>>>>>> I also tried to change from "SHA1withRSA" to "SHA256withRSA" by
>>>>>> editing the config files. No luck!
>>>>>>
>>>>>> I found, this is hard-coded in the sources, for example in:
>>>>>>
>>>>>> - 
>>>>>> pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
>>>>>> -
>>>>>> pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java 
>>>>>>
>>>>>>
>>>>>> Just look for "SHA1withRSA" in the files, I don't think this are 
>>>>>> just
>>>>>> fallbacks.
>>>>>> Best regards,
>>>>>> Oli
>>>>>>
>>>>>>
>>>>>>
>>>>>> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
>>>>>>> On 04/06/2010 05:08 PM, Arshad Noor wrote:
>>>>>>>> The only option that is visible under Advanced is the key-size
>>>>>>>> for each of the certificate-types. The hash algorithm does not
>>>>>>>> show up at all.
>>>>>>>>
>>>>>>>> Even the default, as mentioned by Step 8, is not the default as
>>>>>>>> the last 10-12 installs have shown:
>>>>>>>>
>>>>>>>> * SHA256withRSA (the default)
>>>>>>>>
>>>>>>>> So, the question is: is the current build of DogTag in the pki
>>>>>>>> repository identical to RHCS 8.0 or is it a different version?
>>>>>>> It might very well be ... we can look at the svn commits
>>>>>>> to be really sure...
>>>>>>>
>>>>>>>> Arshad Noor
>>>>>>>> StrongAuth, Inc.
>>>>>>>>
>>>>>>>> Chandrasekar Kannan wrote:
>>>>>>>>> the installation wizard should provide 'options' under the 
>>>>>>>>> advanced
>>>>>>>>> section for you to be able to select the alg to use. Have you 
>>>>>>>>> tried
>>>>>>>>> doing Step (8) from here ?
>>>>>>>>> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Configur 
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ing_a_CA.html
>>>>>>> _______________________________________________
>>>>>>> Pki-users mailing list
>>>>>>> Pki-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Pki-users mailing list
>>>>> Pki-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list